Runs AWS Security Agent threat model reviews on spec/design documents using STRIDE methodology to identify security-posture changes.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aws-agents-for-devsecops:threat-modeling-with-aws-security-agentThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze spec documents (`requirements.md`, `design.md`) against the source code to identify security-posture changes using STRIDE methodology. No prior scan needed.
Analyze spec documents (requirements.md, design.md) against the source code to identify security-posture changes using STRIDE methodology. No prior scan needed.
Read .security-agent/config.json for agent_space_id and region. If missing, run the setup-security-agent workflow inline first.
| Placeholder | How to resolve |
|---|---|
<id> (agent space) | config.agent_space_id |
<region> | config.region (default us-east-1) |
<account> | aws sts get-caller-identity --query Account --output text |
<role-arn> | arn:aws:iam::<account>:role/SecurityAgentScanRole |
<bucket> | security-agent-scans-<account>-<region> |
Pre-checks. Read config, verify agent space, resolve values.
Collect spec files. Identify the requirements.md and/or design.md the user is working on. Use absolute paths. Ask if unclear which files to review.
Zip the workspace (same exclusions as code scan):
cd <absolute-workspace-path>
zip -r /tmp/source.zip . \
-x ".git/*" -x ".security-agent/*" -x "node_modules/*" \
-x "__pycache__/*" -x ".venv/*" -x "venv/*" \
-x "dist/*" -x "build/*" -x "target/*" \
-x ".mypy_cache/*" -x ".pytest_cache/*" -x ".tox/*" \
-x ".next/*" -x "cdk.out/*" -x ".DS_Store" -x "*.pyc"
Upload source zip:
SCAN_ID="tm-$(date +%s)-$(openssl rand -hex 3)"
WORKSPACE_ID=$(printf '%s' "$(pwd)" | md5sum | cut -c1-12)
aws s3 cp /tmp/source.zip s3://<bucket>/security-scans/source/${WORKSPACE_ID}/source.zip
Upload spec files:
aws s3 cp /path/to/requirements.md s3://<bucket>/security-scans/threat-models/${SCAN_ID}/specs/requirements.md
aws s3 cp /path/to/design.md s3://<bucket>/security-scans/threat-models/${SCAN_ID}/specs/design.md
Create threat model:
aws securityagent create-threat-model --agent-space-id <id> --title <title> \
--service-role <role-arn> \
--assets sourceCode=[{s3Location=s3://<bucket>/security-scans/source/${WORKSPACE_ID}/source.zip}] \
--scope-docs '[{"s3Location":"s3://<bucket>/security-scans/threat-models/'${SCAN_ID}'/specs/requirements.md"},{"s3Location":"s3://<bucket>/security-scans/threat-models/'${SCAN_ID}'/specs/design.md"}]'
Capture threatModelId.
Start threat model job:
aws securityagent start-threat-model-job --agent-space-id <id> --threat-model-id <tm-id>
Capture threatJobId.
Persist to scans.json with scan_type: "THREAT_MODEL".
Tell user: "Threat model review started. Runtime varies with workspace size. I'll check every 2 minutes — say 'stop polling' to opt out."
Poll every 2 minutes:
aws securityagent batch-get-threat-model-jobs --agent-space-id <id> --threat-model-job-ids <tj-id>
Only respond when status changes.
On COMPLETED → fetch threats:
aws securityagent list-threats --agent-space-id <id> --threat-job-id <tj-id>
If nextToken, paginate with --next-token.
Each threat includes: statement, severity, stride category, threatImpact, recommendation, impactedAssets.
🟣 CRITICAL: {statement}
STRIDE: {stride}
Impact: {threatImpact}
Assets: {impactedAssets}
Recommendation: {recommendation}
🔴 HIGH: {statement}
...
Write full report to .security-agent/findings-{scan_id}.md. Call out any threat that represents a regression from the prior design.
threat-model-<feature-name> (no spaces)npx claudepluginhub arnewouters/agent-toolkit-for-aws --plugin aws-agents-for-devsecops5plugins reuse this skill
First indexed Jun 18, 2026
Runs AWS Security Agent threat model reviews on spec/design documents using STRIDE methodology to identify security-posture changes.
Produces a structured STRIDE-based threat model covering assets, trust boundaries, threat enumeration, risk scores, mitigation controls, and residual risk sign-off.
Conducts STRIDE-based threat modeling on software architectures for web, cloud, IoT, and mobile systems to identify vulnerabilities and propose mitigations.